May 02, 2025 6 Minute Read

The UK retail market has been thrown into turmoil in recent weeks, with three of that nation's highest-profile retailers being targeted allegedly by the well-known threat group Scattered Spider in at least one of the most disruptive incidents.

Trustwave SpiderLabs has tracked Scattered Spider for more than a year and has created a detailed profile of the threat group, how it operates, its members, preferred targets, and has a long list of protective measures that an organization should have in place to help remain safe.

Many of the indicators SpiderLabs has reported match the current situation impacting the UK retail sector.

Background on the Recent Attacks

Marks & Spencer (M&S) confirmed on April 21 that it had been attacked, with Harrods and Co-op reporting similar incidents in the following days.

M&S was forced to shut down contactless payments and click-and-collect orders, as well as delaying online deliveries, according to published reports. Harrods has claimed to have stopped an intrusion attempt and is operating normally. Another attack forced food retailer Co-op to disconnect certain systems earlier this week after experiencing attempts to gain unauthorized access to some of our systems.

Only the M&S attack has been attributed to Scattered Spider. However, the timing and nature of the other attacks do bear some of the hallmarks of a Scattered Spider incident.

The NCSC has issued a warning to all retailers to bolster their cybersecurity defenses in light of these events, emphasizing the need for vigilance and robust incident response plans as the investigations continue to unfold.

All the information below is derived from a Trustwave SpiderLabs investigation into Scattered Spider.

Who is Scattered Spider?

Trustwave SpiderLabs' in-depth research has found Scattered Spider, which is also known as UNC3944, Muddled Libra, 0ktapus, and Scattered Swine, to be exclusively motivated by financial gain.

The consensus among researchers is that the group is comprised of relatively young threat actors reported to be between 17 and 22 years old, native English speakers, and primarily residing in Western countries. As we shall see, these traits will help the group during its initial access phase, which requires directly contacting employees to reach their targets.

Law enforcement has had some success against the group with one known member, Noah Michael Urban, a 19-year-old from Florida, being arrested January 2024, by U.S. authorities and charged with wire fraud, aggravated identity theft, and conspiring to use SIM-swapping for cryptocurrency theft, according to the US Department of Justice.

Scattered Spider is known to have ties to other threat groups, including Lap$us, 0ktapus, UNC3786, The Community, and the notorious BlackCat/ALPHV.

Scattered Spider's target list is long, contains many distinguished names, and covers many industry verticals. These include retail, telcos (Verizon and T-Mobile,) hospitality (MGM Resorts International andCaesars Entertainment,) insurance, and healthcare.

Geographically, many targeted organizations are in the US, but Scattered Spider has affected others in India, Canada, France, Sweden, and Australia, among other locations.

Scattered Spider's Modus Operandi?

Scattered Spider's core objective is to target large organizations, particularly those in the Fortune 2000, with valuable Intellectual Property (IP) or critical operations, increasing the likelihood of ransom payment.

Software companies are frequently targeted for source code and code signing certificate theft. It also targets organizations that can serve as a pivot point for supply chain attacks, such as identity providers and their outsourced service companies.

The group's latest monetization strategy involves deploying ransomware in victim environments, which appears to be what is happening in the UK retail sector.

The group has specifically used BlackCat ransomware since mid-2023 and implements double extortion ransomware campaigns.

This involves gaining access to a victim, taking data, and then threatening to publicly release it or further shut down the victim's systems if they are not paid.

Scattered Spider employed this methodology in its attack against MGM Resorts and Ceasars. MGM refused to pay, and the company then suffered significant system outages costing approximately $100 million, while Caesars reportedly paid around $15 million and experienced less downtime.

Gaining Initial Access

Scattered Spider's tradecraft and techniques involve a multi-stage approach, often starting with sophisticated social engineering and exploiting identity and access management systems.

The group begins with phishing /smishing attacks. These include sending deceptive SMS messages (smishing) with links to phishing portals or Telegram messages impersonating IT personnel.

It uses phishing kits like EIGHTBAIT (associated with its Oktapus campaign), which send captured credentials to Telegram channels. Recent attacks (since January 2024) use HR and Single Sign On themed lures.

One tactic that relies on the group's language skills to gain login credentials is to call help desks or individual employees, impersonate company IT staff to manipulate them into resetting passwords, modify MFA factors, install Remote Monitoring and Management tools, navigate to fake login sites, or remove FIDO2 tokens.

Scattered Spider is also known to purchase employee credentials or session tokens on underground markets and use SIM swap techniques that transfer victims' mobile phone numbers to attacker-controlled devices, often facilitated by access gained through compromised telecom or BPO organizations. The group offers significant amounts (up to $20,000 weekly) for SIM swaps.

Even organizations that correctly have a Multifactor Authentication process in place are in danger as the group can bypass MFA through techniques like MFA bombing/push fatigue (repeatedly sending MFA requests until the user accepts) or exploiting vulnerabilities.

Additionally, the group:

• Exploits public-facing applications leveraging vulnerabilities, such as CVE-2021-35464 in ForgeRock OpenAM.
• Using stolen or created valid accounts, including cloud accounts.
• Potentially exploiting existing trusted relationships between organizations (e.g., supply chain).

Scattered Spider maintains persistence by abusing and controlling valid accounts and creating new user identities. It also modifies MFA tokens or registers new devices for MFA to maintain access and uses legitimate RMM tools, Citrix, and VPNs.

Defending Against Scattered Spider

Based on the detection opportunities and techniques described in the source, organizations should implement several defensive measures:

1. Strengthen Authentication and Access Control:

• Implement and Enforce Strong Multifactor Authentication (MFA): Require MFA for all users, especially for privileged accounts and access to sensitive systems. Monitor for MFA fatigue attacks (repeated failed MFA attempts) and suspicious MFA operations.
• Alert on Sign-In Attempts from Anonymizing Proxies: Use logs to identify and flag sign-in attempts originating from known proxy services.
• Monitor for Rare MFA Operations: Alert on infrequent but critical MFA events like factor updates, deactivation, bypass attempts, or resets.
• Secure Credential Storage: Avoid storing credentials (passwords, keys) in insecure locations like Slack channels or files. Implement secure credential management solutions.
• Monitor Identity Provider (IdP) Changes: Alert on the creation or modification of identity providers, especially by high-privilege administrators. Monitor for authentication errors due to mismatching IdP attributes.
• Detect Malicious Sign-ins from Forged MFA: If a federated backdoor is suspected, monitor sign-in logs for instances where MFA requirements are satisfied by claims from external providers, as this could indicate a Golden SAML attack.
• Review and Audit Cloud Access: Implement strict controls and regular audits for AWS and Azure accounts, particularly regarding IAM manipulation, role assumption, and access keys.

2. Enhance Monitoring and Logging:

• Collect and Analyze Logs Comprehensively: Ensure detailed logging is enabled for critical systems, including Windows Event Logs (Security, System, Sysmon), AWS CloudTrail, Azure Activity Log, Okta logs, and firewall/network logs.
• Monitor for Reconnaissance Activities: Detect suspicious activities such as enumeration of EC2 instances, internal reconnaissance commands via serial connection (whoami, net group, nltest), usage of AD reconnaissance tools (PingCastle, ADRecon), scanning for open ports (RustScan, Advanced Port Scanner), bulk downloads from Azure AD, and cloud exploration activities (AWS, Azure).
• Detect Lateral Movement: Monitor for serial console access attempts (AWS, Azure), creation/modification of cloud VMs, suspicious usage of ntdsutil.exe, Citrix session disconnect events correlated with suspicious activity (like ADExplorer download), and suspicious commands pushed to vCenter servers (snapshot manipulation, deletion).
• Monitor for Persistence Mechanisms: Detect installation or execution of RMM tools, configuration of SSH tunnels, and other methods used to maintain access.
• Detect Collection Activities: Monitor SharePoint file and directory discovery, access and collection of data in AWS S3, and other attempts to stage or gather data.
• Detect Data Exfiltration: Monitor for DNS queries or network connections to known file-sharing or cloud storage services used by attackers (MEGA, Rclone destinations, DropBox, Gofile, etc.). Detect Rclone config file creation or execution. Monitor SharePoint file operations from previously unseen IPs or user agents.
• Monitor for Defense Evasion: Alert on deletion or stopping of CloudTrail logging, disabling/deletion of GuardDuty, loading of known vulnerable drivers (e.g., iqvw64.sys), driver loading from suspicious locations, clearing event logs, and suspicious registry modifications.

3. Improve Endpoint and Network Security:

• Endpoint Detection and Response (EDR): Utilize EDR solutions to detect malicious process creation (e.g., sacsess.exe spawning cmd.exe, ntdsutil.exe, psexec.exe, wmic.exe, fsutil.exe, wevtutil.exe, arp, net use), file events (Rclone config files), driver loading, and network connections.
• Network Segmentation: Implement network segmentation to limit lateral movement possibilities.
• Firewall Rules: Configure firewalls to prevent unauthorized outbound connections, including to known malicious C2 infrastructure or unauthorized file-sharing services. Monitor for unauthorized changes to security groups, such as opening port 22 ingress in EC2.
• Keep Systems Patched: Regularly patch software and systems to address known vulnerabilities, like the ForgeRock OpenAM (CVE-2021-35464) and Intel Ethernet driver (CVE-2015-2291) vulnerabilities exploited by Scattered Spider.
• Monitor DNS Queries: Inspect DNS traffic for queries to domains associated with RMM tools, file-sharing services, or known attacker infrastructure.
• Filter Malicious Domains: Use threat intelligence feeds to block access to known phishing domains and C2 infrastructure. Implement detection rules for phishing domain patterns, including typosquatting.

4. Security Awareness and Training:

• Train Employees on Phishing and Social Engineering: Educate employees, especially help desk personnel, about common phishing tactics, smishing attempts, vishing calls, and the importance of verifying identities before performing sensitive actions like password resets or MFA changes.
• Promote Caution with MFA Requests: Train users to be suspicious of unexpected MFA push notifications and to only approve requests they initiated.

5. Specific Cloud Environment Defenses:

• AWS: Monitor CloudTrail logs for GetSigninToken abuse (via aws_consoler), AssumeRole misuse, DescribeInstanceInformation, SendCommand, GetCommandInvocation via SSM, GuardDuty deletion/disassociation/invitation deletion, and CloudTrail stop/deletion.
• Azure: Monitor Azure Activity Logs for serial console access, VM creation/modification (especially extensions like enablevmaccess), and usage of diagnostic extensions like CollectGuestLogs. Monitor Azure AD logs for suspicious activities related to user/group enumeration or privilege changes. Detect AiTM phishing via Okta FastPass failures.

6. Review and Secure DevOps Practices:

• Scan Code Repositories: Use tools like Trufflehog, GitGuardian, or Jecretz to scan code repositories and Jira tickets for exposed credentials and secrets.
• Secure CI/CD Pipelines: Implement controls to prevent unauthorized access to source code in platforms like Github and Gitlab.

By implementing these layered defensive measures, organizations can significantly reduce their risk of being compromised by Scattered Spider and similar threat actors.

Trustwave is standing by to help any organization with concerns it is or may be impacted by Scattered Spider or any other threat group.

Trustwave SpiderLabs has the skills and resources to hunt for threat actors in your environment.

Trustwave’s Digital Forensics & Incident Response (DFIR) is ready to assist those looking to take additional proactive measures or who have been impacted by an incident and need to quickly contain the situation.

Finally, Trustwave can help an organization further ensure it understands its exact security posture through Red Team exercises and as a penetration test provider.